Industrial-Scale Malicious Domain Assembly Line Registered 1.5 Million Domains in Five Months
Researchers analyzed over 1.5 million malicious domains flagged on VirusTotal between January and May 2026, revealing an assembly-line approach where domains are registered in industrial batches, weaponized within weeks, and concentrated among a small set of registrars and hosting providers.
Attackers registered roughly 1.5 million malicious domains during the first five months of 2026, according to new research that examined domains flagged on VirusTotal between January and May 2026. Each domain was detected by at least five independent scanning engines, indicating a high confidence of malicious intent. The registration patterns resemble industrial output, with domains created in large batches, put to use within weeks, and concentrated among a small set of registrars, top-level domains, and hosting providers.
The research, conducted by a team of security analysts, reveals an assembly-line approach to domain-based attacks. Attackers are scaling infrastructure for phishing, malware delivery, and other threats with unprecedented efficiency. The domains are weaponized rapidly after registration, often within days, suggesting automated provisioning and deployment pipelines. This industrial-scale operation allows threat actors to stay ahead of takedown efforts and maintain persistent attack capabilities.
The concentration of malicious domains among a small number of registrars and hosting providers raises questions about the effectiveness of current domain registration vetting processes. Some registrars appear to be disproportionately hosting malicious domains, either due to lax verification procedures or active facilitation. The researchers call for greater scrutiny of these providers and improved collaboration between registrars, hosting companies, and security organizations to disrupt the supply chain.
The findings also highlight the role of top-level domains (TLDs) in enabling malicious activity. Certain TLDs are disproportionately represented among the flagged domains, suggesting that attackers are exploiting TLDs with weak registration controls or low cost. The researchers recommend that TLD operators implement stronger validation measures and that security teams prioritize monitoring of high-risk TLDs.
The scale of the operation — 1.5 million domains in just five months — underscores the challenge facing defenders. Traditional blocklisting approaches are insufficient when attackers can generate new domains faster than they can be cataloged. The researchers advocate for a shift toward predictive and behavioral detection methods that can identify malicious domains based on registration patterns and early indicators of abuse.
This research adds to a growing body of evidence that domain registration infrastructure is being systematically exploited by cybercriminals. Previous studies have documented the use of domain generation algorithms (DGAs) and fast-flux networks, but the current findings reveal a more organized, assembly-line approach. The researchers emphasize that disrupting the domain registration pipeline — rather than chasing individual domains — is key to reducing the volume of domain-based attacks.
The full report, published by Help Net Security, provides detailed analysis of the registrars, TLDs, and hosting providers most commonly associated with malicious domains. The researchers also offer recommendations for registrars, hosting providers, and security teams to detect and mitigate these threats more effectively.